Okta Alert Details
Alert ID: OKTA-EXTERNAL-REMOTE-7842
Alert Time: 2024-02-11 07:30:45 EST
Severity: HIGH (88/100)
Source: Okta Identity Cloud
Rule: “Suspicious VPN Login – New Location + Impossible Travel”
MITRE ATT&CK: T1133 – External Remote Services
Alert Details:
User: awilson@company.com (Alex Wilson, IT Administrator)
Application: Palo Alto GlobalProtect VPN
Time: 07:28 EST
Risk Signals:
1. New Location:
– City: Moscow, Russia
– IP: 89.248.165[.]23
– ISP: Digital Energy LLC
– First time this user has logged in from Russia
2. Impossible Travel:
– Previous login: 07:00 EST from New York, USA
– Current login: 07:28 EST from Moscow, Russia
– Travel time required: 10+ hours
– Actual time elapsed: 28 minutes
– Score: 99/100 (impossible)
3. Device Profile:
– Device: Windows 10 (unrecognized)
– Browser: Chrome 121
– User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
– No previous authentication from this device
4. Authentication Method:
– Username/Password + Okta Verify (MFA)
– MFA push accepted from Moscow location
– User’s registered device is in New York
Additional Context:
– User has privileged access (IT Administrator)
– Can access critical systems via VPN
– No travel plans to Russia
– MFA push suggests attacker may have compromised device or SIM-swapped?
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Okta risk signals
Okta Admin Console
Confirmed impossible travel + new location
2. User Contact
Reach user immediately
Phone, Teams, In-person
User confirmed in New York; did not approve MFA
3. Immediate Containment
Disable user account
Okta, Active Directory
Account disabled within 5 minutes
4. Session Termination
Revoke all active sessions
Okta, VPN
All sessions terminated
5. Investigation
Determine MFA bypass method
Okta Logs, Mobile Device
User’s Okta Verify push was accepted; likely MFA fatigue attack
6. Credential Reset
Force password reset
Okta, AD
Password reset; MFA re-enrolled
Jira Incident Report
Ticket: SOC-2024-059
Summary: T1133 – External Remote Services – Compromised VPN Access via MFA Fatigue
Status: RESOLVED
Resolution: MALICIOUS – Account Takeover Attempt
Priority: P1 – CRITICAL
Labels: T1133, external-remote-services, vpn, okta, mfa-fatigue, privileged-account
Components: Identity-Management, Remote-Access
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Okta Identity Cloud.
Alert: “Suspicious VPN Login – New Location + Impossible Travel”.
User: awilson@company.com (IT Administrator).
Time: 2024-02-11 07:30 EST.
Technique: MITRE ATT&CK T1133 – External Remote Services.
2. Technical Analysis:
Attack Details:
Initial Access: Attacker obtained user credentials (likely via phishing).
MFA Bypass: MFA fatigue attack – user received repeated push notifications until they accidentally accepted.
Source IP: 89.248.165[.]23 (Moscow, Russia)
Target: Palo Alto GlobalProtect VPN
Timeline:
07:00 – Legitimate login from New York (user starts work)
07:25 – Attacker attempts login from Moscow
07:25-07:27 – 12 MFA push notifications sent to user’s phone
07:28 – User finally accepts push (MFA fatigue)
07:28 – Attacker gains VPN access
07:30 – Okta impossible travel alert triggers
07:31 – SOC begins investigation
07:32 – User contacted; confirms no travel
07:33 – Account disabled; sessions terminated
Attacker Activity During Access (2 minutes):
Connected to VPN
Attempted RDP to IT jump box (blocked by firewall)
No other actions logged (account disabled quickly)
Privileges:
IT Administrator access to servers, network devices
No access to financial systems
3. Investigation Findings:
User Interview:
User reported receiving multiple Okta Verify push notifications.
Thought it was a glitch; accidentally approved one.
Confirmed no travel; phone still in possession.
MFA Fatigue Attack:
Attacker bombarded user with pushes until approval.
No SIM swap; user’s device secure.
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 89.248.165[.]23 (Russia)
– VPN session logs (terminated)
Account:
– User: awilson@company.com
4. Containment Actions:
Immediate Actions (07:31-07:35 EST):
Disabled user account in Okta and Active Directory.
Revoked all active VPN sessions.
Blocked attacker IP at firewall.
Remediation (07:35-08:30 EST):
Forced password reset for user.
Re-enrolled MFA (Okta Verify only, no SMS).
Reviewed account activity logs for any changes (none).
User Communication:
User briefed on MFA fatigue attacks.
Reinforced never to approve unexpected pushes.
5. Root Cause Analysis:
Primary Cause: MFA fatigue attack – user overwhelmed and approved malicious push.
Contributing Factors:
Credentials compromised via prior phishing.
No number matching in Okta Verify (pushed approval only).
User not trained on MFA fatigue attacks.
6. Business Impact:
Operational Impact: IT admin offline for 1 hour.
Data Exposure: None (account disabled quickly).
Financial Impact: None.
7. Remediation & Prevention:
Completed Actions:
Account secured.
MFA re-enrolled.
User educated.
Technical Controls Enhanced:
Enabled number matching in Okta Verify (user must enter number from screen).
Implemented conditional access policy blocking impossible travel logins.
Reduced MFA push timeout and maximum attempts.
Added alerting for excessive MFA push rejections.
8. Conclusion:
This incident involved an MFA fatigue attack leading to VPN access by an attacker. Rapid detection via Okta’s impossible travel rule and immediate containment prevented any malicious activity. Enhanced MFA controls will prevent similar attacks.
Closure Rationale: Account secured; attacker blocked; enhanced MFA controls implemented.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-11 09:00 EST